Cybersecurity transformation for the operational technology environment What

Cybersecurity transformation for the operational technology environment

What is cybersecurity? If you ask 100 people, you may be surprised to find that you get 100 different answers. Cybersecurity has different meanings to everyone; understandably, it depends on the industry you’re in, the process control network you run, the corporate enterprise networks you support and the types of regulations that oversee your specific industry and/or business. A control system engineer might have a distinct definition, but technology professionals may have a completely different definition. To add to the confusion, everybody wants to be cyber secure or they have a mandate to be cyber secure, but because their views are all different, it slows down the process to engage in an effective cybersecurity program. Regardless of what definition is the most correct, the focus should always be on the clients’ needs and what clients believe cybersecurity means to them. There may be a gap between their definition and their specific needs to comply with leading practices, corporate policies and government regulations. It is also important to understand that cybersecurity is not just a hardware or software solution, but rather how these items are implemented and maintained in a comprehensive cybersecurity program. The reasons for implementing cybersecurity can be almost as numerous as there are definitions for the term itself, yet some will insist they have nothing to protect. Many people understand the need for cybersecurity, but how do we explain to management why we need it? Consider the questions below: Information technology vs. operational technology The world of traditional information technology (IT) has morphed greatly over the years into nontraditional roles such as supporting manufacturing and process control systems. As technology advances, so too must the skill sets, roles and responsibilities of IT professionals. Companies’ heavy reliance on IT and the evolution of skill sets required to support process manufacturing has outpaced the current skill capabilities and range of IT professionals. This evolution has given rise to a new role, operational technology (OT). The OT role focuses on the process controls required to operate the manufacturing side of the business, such as power and utility, oil and gas, manufacturing and building management systems. The differences between OT and IT can be somewhat confusing for those on either side when it comes to the specific roles each department plays within a company, but the OT departments and IT departments must work together to develop a company’s overall system policies as well as a cybersecurity compliance program, with both departments responsible for their side of the business. An effective critical infrastructure cybersecurity plan requires clearly defined and coordinated roles and responsibilities among OT personnel and IT personnel. However, as critical infrastructure systems and assets become more interconnected, accountability gaps as well as perceived overlaps have formed between the functional roles. • Who are the competitors that would benefit from your intellectual IT OT Purpose Transaction systems; business systems, information systems, IT security standards Control systems; control or monitor physical processes or equipment, regulatory security standards Architecture Enterprise-wide infrastructure and applications (business) Event-driven, real-time, embedded hardware and software (industrial) Interfaces Operating systems and applications, Unix, GUI, web browser, terminal and keyboard Electromechanical, sensors, Windows, actuators, coded displays – PLC, SCADA, DCS Ownership CIO, finance and admin. departments Engineers, technicians, operators and managers Connectivity Corporate network, Internet, IP-based Control networks, hard wired twisted and Role Supports business applications and office personnel Supports controls processes and plant personnel safety property? • Are you sure none of your critical systems “touch” the internet? • Do you rigorously scan all USB drives and confirm they are under constant surveillance while being used on the plantpremises? A comprehensive cybersecurity service is based on an assessment of the current network, development of the cybersecurity service that address the client’s needs (regulatory or internal), the implementation of the cybersecurity services and, most importantly, the management of the services once it’s up and running. Cybersecurity compliance on its own is not the complete solution to cybersecurity; it is the starting point that includes some type of risk assessment, security planning and methodology. The path to cybersecurity is through cybersecurity compliance and leading practices. Cybersecurity compliance helps provide a platform to build a more thorough and customized cybersecurity strategy for a given business in order to better prevent catastrophic cyber-attacks. 2 | Cybersecurity transformation for the operational technology environment | 3

pl e Im • Have a security plan: A plan will include critical asset identification, • Network separation: Separating the industrial automation and • Perimeter protection: Firewalls, authentication, authorizations, virtual private network (Internet protocol security) and antimalware software to prevent unauthorized access. • Network segmentation: Containment of a potential security breach to only the affected segment by using firewalls and virtual local area networks to divide the network into sub-networks and by restricting traffic between segments. This helps contain malware impact to one network segment; thus limiting damage to the entire network. 4 | Cybersecurity transformation for the operational technology environment Ass es t en m e pm en t Man ag OT cybersecurity transformation el o v e D • Why are firewalls determined to be the best approach? As se OT cybersecurity transformation m en t pm en t Ass es OT cybersecurity transformation m en t policies and procedures to cover risk assessment, risk mitigation and methods to recover from disaster. control system from other networks by creating “demilitarized zones” (DMZ) to protect the industrial system from enterprise network requests and messages. t en m e Following on the completion of the assessment, the next stage is the development phase. As the name implies, we use the assessment and the client’s requirements to develop a program unique to their needs. Prior to jumping right into network designs, it is important to develop a program that addresses not just the technology but also the timing. Our typical client does not always have the necessary downtime to implement all the changes that are required. In these cases, we can work with clients on a technology road map to the defined service priority based on time windows. We understand the nature of our clients’ industries and that “rebooting” the network is not always an option. nt me ss Just because you are compliant to a cybersecurity standard or regulation doesn’t mean you are 100% cyber secure. True security is a comprehensive program of compliance, cybersecurity services and an organizational awareness of the risks and benefits of the technologies deployed in our modern industrial control systems. Man ag The compliance process provides an overview of gaps, risks and statuses as set forth by a cybersecurity standard used as the framework, NIST-800 82 for example. This information is used to define assets that will need to be secured within the infrastructure and the extent of the security controls that must be applied. The deployment of the required security controls should always adhere to cybersecurity leading practices. The starting point for any engagement is the assessment. This is where we work closely with the client to assess their current network to help identify problems and develop requirements. The goal of the assessment stage is to define a risk-based assessment of the client’s network to understand what the true needs of the client are. As an example, if a client wants three firewalls installed, the first questions are: pl e Im Implementing firewalls and anti-virus software alone, which does not make you cyber compliant or cyber secure. These items are a small part of a larger picture, such as adequate policies and procedures, proper system maintenance, patching at regular intervals and following industry leading practices. These industry best practices include things such as: Any comprehensive cybersecurity initiative begins with a compliance assessment program and is monitored throughout its life cycle. When executed properly, the outcome of the compliance program is the remediation checkpoints that drive the cybersecurity services. t en sm Some of the most dangerous compliance assumptions include: communications; regular patch updates of software and firmware. Stage 2: Develop pl e Im So, what is compliance? Compliance is defined by laws, regulations and governing bodies. These standards generally contain a list of requirements that must be met to declare the user as compliant. Further, being compliant requires the processes, tools and organizations to sustain the program in a manner that can be audited. Basically, you must be able to display the actions and evidence required to show that you meet the requirements. • Monitor and update: Surveillance of operator activity and network Stage 1: Assess t en sm Trying to understand the difference between compliance services and cybersecurity services can be very confusing. Every discussion on cybersecurity is interlaced with compliance elements and cybersecurity service features, which is compounded by the number of standards on the topics that primarily address compliance, so it is no wonder that many people confuse cybersecurity compliance with being cyber secure. Cybersecurity compliance, while complementary to cybersecurity solutions, is not the same as being cyber secure. definition and deactivation of unused services to strengthen security on devices. el o v e D • How was the quantity of three determined? • Who determined the locations of the firewalls? pm en t The difference between compliance and cybersecurity • Device hardening: Utilizing password management, user profile Man ag In many industries, focus has shifted to more regulatory compliance rather than comprehensive security. The existing federal and state regulatory environment creates a culture within businesses and industry of focusing on compliance with cybersecurity requirements instead of a culture focused on achieving comprehensive and effective cybersecurity. Cybersecurity is enhanced when IT and OT converge, and failing to address both the corporate and regulatory cybersecurity requirements can be detrimental to network security. el o Dev In many cases, this is putting the preverbal cart in front of the horse. A risk-based assessment determines what the client needs to protect and the level of risk is appropriate for the network asset in question. Keeping control room connectivity is probably a higher priority than keeping power to the break room. This type of assessment helps the client to determine what their actual needs are versus their wants. The assessment is also an important element of most regulatory programs and plays a crucial role in most companies in determining budgeting. With project timing addressed, we can move onto network design. Here, we defer to EY’s eight cornerstone services (see below), addressing the clients’ preferences for hardware (switches, firewalls, etc. ) and software (anti-virus, malware prevention, etc. ). The conclusion of the Development stage is a truly comprehensive cybersecurity service that addresses not just the client’s unique needs but also their timeline as well as internal corporate mandates, such as preferred vendors. The transformation methodology consists of four key stages: 1. Assess 2. Develop 3. Implement 4. Manage These four steps are not only critical to developing a holistic cybersecurity service, but they also outline critical points of our client engagement. Cybersecurity transformation for the operational technology environment | 5

Stage 3: Implement Stage 4: Manage Ass es pl e Im Man ag pm en t nt e em pl e Im el o v e D Ass es t en sm OT cybersecurity transformation m en t Many companies skip or just ignore the management step altogether, believing that their cybersecurity elements will now protect them going forward. This might be true if the company never makes any changes after the cybersecurity service went in; however, this is not practical, as today’s process control networks are dynamic. There always changes, patches, adds and drops to keep in mind. OT cybersecurity transformation m en t pm en t t en m e In many cases, the implementation stage would be seen as the final step. However, in cybersecurity, the most important phase is always the management stage. At this stage, we work closely with the client to outline security management service(s) for the network, providing a mechanism to improve and optimize the continuously changing landscape of network usage. t en sm Man ag With the assessment and development stages complete, the next stage is implementation. At this point, we work with the client to implement the network design from the procurement through staging and commissioning of the cybersecurity control(s). This is a very unique point for our team. Unlike many cybersecurity firms that will come in and do a report or assist on a network design, our team will perform the cybersecurity service implementation and cut over. Our team has not only cybersecurity knowledge but the industry and control experience to be able to work seamlessly onsite, interfacing with both the process team as well as the IT team, as needed. el o Dev These daily operational exercises run the risk of compromising the security of the network. Management provides the means to be able to monitor changes, track updates, and detect unconditional behavior alerting you to a potential issue before it can become an event. Stage 4: Management is by far the most important stage to help safeguard network integrity. 6 | Cybersecurity transformation for the operational technology environment | 7

Eight cornerstones for OT cybersecurity We work directly with clients, leveraging our OT cybersecurity transformation methodology. In support of the transformation methodology, we have identified what we refer to as the eight cornerstones that provide a foundation that every client can benefit from, whether they are starting a cybersecurity program from scratch or reassessing an existing one. The eight cornerstones represent what we have found to be the most commonly needed controls. Each control is defined to address specific risks and vulnerabilities and can be deployed individually, all at once or over a defined period of time. 1. Asset identification: Inventory of critical assets in the network. With the rush to gain security in an OT environment, comes the need to provide proper asset criticality identification. Much focus tends to be on the large assets or “smart devices. ” However, any device that is attached to the internet (Ethernet, Wi-Fi, Bluetooth, etc. ) is as much a target as the main systems themselves. Typical assets that are overlooked are HVAC, security cameras, thermostats, badge readers, the “things” that make up Internet of Things (Io. T). 2. Electronic access controls: Deploying next generation firewalls and security gateways. OT devices are only one part of the security equation. The network that interconnects the devices is as critical as the device itself. The need to inspect, audit and control the communications into and out of the network is essential as the number, variety and complexity of connected devices increases. With the increasing use of Io. T devices, they need to be reviewed in the same manner as bring your own device. 3. User access controls: Password policies, compliance and maintenance. Properly organizing users and applying least privilege access and password policy is important. With the increase of Internet connected smart devices, it is more important than ever to change Io. T device default password settings. Assure any “back doors” are configured; Telnet, SSH, odd ports. 4. Patch management: Deploying critical software updates. Even today, critical vulnerabilities such as Shellshock and Heartbleed continue to be found on Internet connected devices. Patching systems in the OT network is challenging. We apply methods to group systems and define a sustainable patching program. It will be essential to plan for future patching and upgrades to new connected devices as their numbers grow. 5. Centralized endpoint protection: Deploying advanced antimalware technology. As Io. T drives connected devices and increased data traffic, the ability to keep pace with the growing endpoints and access to data will be critical. Io. T will provide the ability for more data to be collected, transferred and uploaded than ever before. Providing security at these numerous ingress and egress points will help to reduce data leakage and unauthorized use of portable media, such as USBs, that are the workhorse for so many cyber attacks. 8 | Cybersecurity transformation for the operational technology environment 6. Disaster recovery: Backup and recovery planning. Proper network -based backup strategies are needed in the OT environment. Also, disaster recovery is commonly overlooked when deploying new technologies, such as Io. T. Verifying if the device has the capability to save configuration files. How is the configuration restored to a device? Can you take control of devices if your primary center is unavailable? The process should include proper scheduling of backups and regular testing to provide data integrity. 7. Log management: Capturing key system events and syslogs. Connected devices will increase overall system traffic on the network. This, in turn, increases the volume of logs being created. Providing data integrity is key to the success of Io. T networks and being able to collect and aggregate these logs is one way to confirm that network events, system health and alerts are being collected and monitored. 8. Managed services: 24/7/365 monitoring of events. The ability to have substantial visibility into OT networks has been limited. Today, there are purpose built solutions that will enable this visibility. Along with visibility of the OT networks they can be leveraged to monitor emerging solutions in Io. T. There are more Internet-enabled devices driving more traffic from more locations than before. This results in large network “blind spots. ” Situational awareness provides the necessary visibility into the network to monitor events in real time; reducing blind spots and improving data integrity. Conclusion Cybersecurity is much more than a project; it is a journey. That journey starts with assessing what your individual risks and vulnerabilities are, then being able to apply a methodology such as EY’s OT cybersecurity transformation methodology to provide a comprehensive methodology that will not only identify the risks but drive to the solutions based on foundational cornerstone services. It is important to always remember the following points: • Cybersecurity does not equal compliance. • Compliance begins with a comprehensive cybersecurity life cycle methodology. • Compliance is people, processes and procedures. • Cybersecurity is technology, compliance is people. • Point solutions on their own do little against protecting critical assets from cyber attacks; they give companies a false sense of security. • Companies are just as likely to be victims of attacks if they rely solely on point solutions. A comprehensive cybersecurity program that addresses regulation requirements, policies and procedures and uses a defense-in-depth strategy is the best approach. Cybersecurity transformation for the operational technology environment | 9

Notes 10 | Cybersecurity transformation for the operational technology environment Notes Cybersecurity transformation for the operational technology environment | 11

Contact us Are you interested in discussing how to further engage with your clients on this topic? Contact our Io. T OT cybersecurity team: Tom Jackson, CISSP Senior Manager, Io. T/OT Cybersecurity Ernst & Young LLP +1 972 740 7367 EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey. com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2017 Ernst & Young LLP. All Rights Reserved. EYG no. 06344 -171 Gbl CSG no. 1710 -2437006 ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey. com